The Forescout Cyber Roundup is a weekly blog series that highlights some of the major cyber headlines, as well as some of the more obscure stories from the week. The purpose of this curation is to raise cyber awareness, provoke thought and encourage discussion among cyber professionals at all levels. Articles are categorized by industry, not necessarily priority.
- Public Sector
- Requirements, funding and prototyping: A new cyber range underway in Florida will enable network defenders to hone their skills with ‘in-the-box’ exercises for attacking and defending in a simulated cyber realm.
- Government agencies remain a cyber target for adversaries: The latest annual report from Verizon notes that 16 percent of breaches hit the public sector, with notable increases in espionage activities. Conversely, outside of the government, most attacks are financially motivated.
- Cyber workforce conversion: The Marines are leading the charge in the rollout of the Cyber Excepted Service (CES), a new system that establishes market-based pay scales and faster hiring authorities. Some are now anticipating that existing employees may opt to convert to CES as well. So far, adoption has been slow, but the new initiative will ultimately help bring more talent where it’s needed most.
- In this case, innovation is ahead of regulation: There’s an age-old debate between regulators and innovators—regulate too much and you stifle innovation. Innovate too fast, and regulations can’t keep up. At the end of the day, it’s about balance between benefits and risks, but the FCC’s decision to move ahead with spectrum licenses, despite warnings from the U.S. Navy, may put weather satellites at risk.
- At least your CVV wasn’t stolen: The specifics of this latest retail attack and what’s been stolen and what might have been exposed are still unravelling. So far, there are some positives: only partial credit card information may have been stolen, but CVV numbers were likely not displayed or stored. But alarmingly, this type of credential stuffing attack is one of about 115 million attempts that occur each day.
- Criminal attacks and human error account for majority of breaches: According to the latest report from the Office of the Australian Information Commissioner (OAIC), more than 10 million individuals had their information compromised in a single incident—that’s just 5 million people shy of the country’s total population. The impact spanned from healthcare and legal to finance and retail.
- Security in layers: When it comes to IoT in healthcare, connected devices are everywhere, there’s a challenge of non-standardization across all devices, and many of them are inherently insecure. To address it, some anticipate consolidation across security providers and device manufacturers.
- Insider privilege abuse a top concern in healthcare: This article highlights security challenges with mail, misdelivery and ransomware attacks as some of the top cyber challenges the industry is facing. Above all, it highlights insiders—intentional and unintentional—as a major cyber risk.
- Bank of England calls for Super Shield—and public-private collaboration: Following the model of the U.S. private sector initiative, the Bank of England (BoE) is looking to a ‘super shield’ to guard against catastrophic cyberattacks. A stress test is scheduled for later this year to measure ‘impact tolerance’ and test recovery capabilities.
- When in doubt, test it out: The Group of Seven (G7), which consists of the U.S., Canada, France, Germany, Italy, Japan and the United Kingdom, is preparing a war game cyber attack on international banks, and marks the first cross-border effort of its kind.
- Until critical infrastructure is completely homogenous, there’s no need for cyber panic: There’s a lot of fear, uncertainty and doubt (FUD) and doom and gloom when it comes to attacks on U.S. critical infrastructure. Some call this alarmist rhetoric, so it’s interesting to hear the perspective from a former NSA analyst. In short, an attack that results in losing visibility into a plant isn’t ideal, but it’s a far cry from the concept of a cyber Pearl Harbor.
- Cyber Insurance for maritime physical damage and loss of hire: As of January 1, 2021, cybersecurity requirements will be formalized in Chapter IX of the International Convention for the Safety of Life at Sea (SOLAS) Regulations 1-6, Management for Safe Operation of Ships. Interestingly, part of the new changes will require vessel owners and operators to have incorporated measures to manage cyber risk into their existing risk management processes.
- Who doesn’t love free advertising? It can be difficult to keep a pulse on trends in cybersecurity. Last year, we saw a drop in ransomware attacks at a global level, but now we’re seeing a renewed effort when it comes to state and local governments—to the point that some targets are being hit more than once. What researchers have theorized is that even though attackers only have a 17 percent success rate, when they land a big name target, they get big name advertising along with it.
- Are privacy measures an invitation to criminals? After a license plate reader gave police officers a false positive on a stolen vehicle, San Francisco has now become the first U.S. city to ban the use of facial recognition tools by its police and other municipal departments. But, just as the automobile provided countless benefits to law-abiding citizens when it was first introduced, it also provided a high-speed escape capability for criminals; now, just as facial recognition can provide the capability of apprehending law breakers, if it’s banned, might the city see an increase in criminal activity?
- New Industrial Internet of Things (IIoT) firmware analysis: The firmware powering industrial control systems is available, so why not analyze it? Vulnerable third-party components and insecure configuration continue to be common issues affecting IoT devices. Further, “PLCNext, the next generation PLC device of Phoenix Contact can be fully accessed by a physical attacker in a matter of seconds and its main service can be made unavailable over the network.”
- Patches for Windows XP? This must be interesting. Windows 7, Windows Server 2008 R2, and Windows Server 2008 have vulnerable Remote Desktop Protocol (RDP) services that are susceptible to un-authenticated attack. “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.”
- Beyond Meltdown and Spectre—RIDL, Zombieland, and Fallout: A remarkable set of new CPU vulnerabilities impacts everything Intel has made since 2008. The issues bring hardware product security lifecycles back to centerstage, and lend support to implementing automated asset inventories that include hardware specifications.
- Applied Risk Labs releases series of Building Automation System (BAS) advisories: Recent research refreshes the Operational Technology topic of building automation vulnerabilities. Multiple vendors were studied, including Computrols, Optergy, Prima Systems, and Nortek (Linear). Each vendor was impacted by high or critical CVSS scores.
Operational Technology / Industrial Control Systems
State, Local & Education